Wi-Fi packet sniffing / monitoring on Windows using Raspberry Pi - inspired by Wimonitor

Wimonitor is a wonderful product from Hacker Arsenal that saves pentesters the hassle of having to configure VMs, carry compatible wireless cards that support monitor mode etc. and comes with a web interface to do the configurations. It gives you the flexibility to plug in the device into the Ethernet port and start Wi-Fi monitoring on any OS. Basically it is a tp-link TL-MR3020 router with a custom firmware that does all the monitoring part and sends the packets to the host laptop (or Mac !) where you can start Wireshark and concentrate on the packet analysis.

I haven’t got one yet, but have been hearing good reviews about the product since launch. The shipping cost to EU is a bummer :(. Hopefully they will start shipping from EU soon.

Meanwhile - why not try this on a Raspberry Pi ?

Snagging Active Directory credentials over WiFi - Part 1

This issue has been fixed on Windows 8+ as part of MS16-112 issued in September 2016. I haven’t checked this on a Windows 7 machine which isn’t listed on the Microsoft page.

Basics

The basic theory behind the attack is same as @mubix’s discovery - if you connect a network interface to a Windows system and have Responder tool poisoning the network, you can obtain the hashes (NTML responses) from the machine without any user intervention. This works even with the computer in locked state.

In my scenario, I’m using a rogue Open WiFi network to grab the hashes. The result is the same and at times, I had better results than plugging in a Pi Zero. The Responder tool captures the hashes which can then be cracked using tools like hashcat.